Configuration data in a configuration service is typically stored in plaintext. To enhance the security of sensitive data, such as data sources, tokens, usernames, and passwords, Microservices Engine (MSE) integrates with Key Management Service (KMS) to encrypt and decrypt configuration data. This integration helps reduce the risk of sensitive data leaks.
Prerequisites
A Nacos engine of the Developer Edition, Professional Edition, or Serverless Edition is created.
You have activated Key Management Service (KMS).
A KMS instance is purchased and enabled. The image version of the KMS instance must be dkms-3.0.0 or later. For more information, see Purchase and enable a KMS instance and Upgrade the image version of a KMS instance.
A key is created. For more information, see Getting started with keys.
To ensure data security, MSE uses Alibaba Cloud KMS to encrypt and decrypt data. KMS includes Shared KMS and Dedicated KMS. Shared KMS is no longer available. For more information, see [Announcement] EOFS and EOS for the shared KMS. If you use Shared KMS, we recommend that you upgrade Shared KMS to Dedicated KMS. If you activate KMS after March 31, 2022, you must purchase Dedicated KMS. For more information, see [Upgrade Announcement] KMS is upgraded to Dedicated KMS. For more information about KMS billing, see Billing of KMS.
This topic uses Dedicated KMS as an example. If you activated Shared KMS before March 31, 2022, see the FAQ section for configuration details.
Create an encrypted configuration
Follow these steps to create an encrypted configuration in the MSE console.
Log on to the MSE console, and select a region in the top navigation bar.
In the left-side navigation pane, choose Microservices Registry > Instances.
On the Instances page, click the name of the instance.
In the left-side navigation pane, choose Configuration Management > Configurations.
In the upper-left corner of the Configurations page, select a namespace from the Namespace drop-down list, and click Add Configuration.
In the Create Configuration panel, enter the Data ID and Group, enable the Data Encryption switch, and then select a KMS Key. If you do not have a KMS Key, click Create. You can create a key in the Key Management Service console. After the key is created, you can refresh the Create Configuration panel to view the new KMS key.
ImportantIf you activated Dedicated KMS after March 31, 2022, you must select the Key ID to use for encryption and associate the Key ID with the Nacos instance. All subsequent configurations will then be encrypted using this key.
If you are not prompted to associate the key ID of a Dedicated KMS instance, it means you activated KMS before March 31, 2022 and can still use Shared KMS. The configuration methods for applications to access Shared KMS are different.
For users who use Dedicated KMS, KMS AES-256 encryption is displayed. For backward compatibility, three encryption methods are displayed for users who use an earlier version of Shared KMS. However, we recommend that you do not use KMS encryption or KMS AES-128 encryption.
KMS AES-256 encryption: This method uses the KMS envelope encryption and decryption method with a 256-bit key, providing high encryption strength. The size of the encrypted configuration content cannot exceed 50 KB. Plaintext configuration data is not transmitted to the KMS system. This method provides higher security and is recommended. Select an encryption method based on your needs.
KMS AES-128 encryption: This method uses a 128-bit key and provides medium encryption strength. The size of the encrypted configuration content cannot exceed 50 KB.
KMS encryption: This method is not recommended because it has compatibility issues with special characters (for example, the
&symbol is escaped as\u0026) and the encrypted configuration content cannot exceed 6 KB.
After a key is associated, you cannot change the key for the MSE Nacos instance. If you delete the key, you will lose access to the encrypted configurations.
In the Configuration Format section, select a data format, enter the content in the Configuration Content text box on the right, and then click Release.
Use an encrypted configuration in Nacos SDK for Java
Add the following dependencies to the pom.xml file in the project.
<dependency> <groupId>com.alibaba.nacos</groupId> <artifactId>nacos-client</artifactId> <version>{nacos-client-version}</version> </dependency> <dependency> <groupId>com.alibaba.nacos</groupId> <artifactId>nacos-client-mse-extension</artifactId> <version>{nacos-client-mse-extension-version}</version> </dependency>Version guide
Nacos client major version
Nacos client version
Recommended plugin version
1.x
1.4.3 or later
1.0.6 or later
2.x
2.1.1 or later
1.0.6 or later
ImportantStability issues may occur if the encryption and decryption plugin version does not match the Nacos client version. We recommend that you use the recommended versions.
Configure the code based on the framework you use.
Use Nacos Client directly
If you use the Nacos Client framework to retrieve configurations, use the following sample code.
try { Properties properties = new Properties(); // The endpoint of your Nacos cluster. properties.put("serverAddr", "{serverAddr}"); // Configure the RAM role of the ECS instance as the access credential. properties.put("ramRoleName", "{ramRoleName}"); // The endpoint of the KMS instance. properties.put("kmsEndpoint", "{kmsEndpoint}"); ConfigService configService = NacosFactory.createConfigService(properties); System.out.println("content:::"+configService.getConfig("{dataId}", "{group}", 6000)); } catch (Exception e) { e.printStackTrace(); }The kmsEndpoint parameter specifies the endpoint of the KMS instance. If the application and the KMS instance are in the same VPC, set this parameter to the VPC endpoint of the instance. If you access the KMS instance over the Internet, set this parameter to the public endpoint or the VPC endpoint of the public gateway. For more information about how to obtain the endpoint, see How do I obtain the endpoint of a KMS instance?
If you use an AccessKey pair for authentication, replace the following configuration:
properties.put("ramRoleName", "{ramRoleName}");with the following configuration:
properties.put("accessKey", "{accessKey}"); properties.put("secretKey", "{secretKey}");The Nacos SDK for Java supports multiple access credentials for encrypted configurations, such as Security Token Service (STS) tokens and the Alibaba Cloud Resource Name (ARN) of a RAM role. For more information about supported access credentials and client configuration methods, see Supported access credentials for configuration encryption.
If you activated KMS after March 31, 2022, and want to publish encrypted configurations from the SDK, add the following code:
properties.put("keyId", "{keyId}");Replace the serverAddr, ramRoleName, accessKey, secretKey, kmsEndpoint, dataId, group, and keyId parameters in the code with your actual service parameters.
Use the Spring Cloud Nacos Config framework
NoteIf you use Spring Cloud Alibaba 2022.x or 2023.x, upgrade the version to 2023.0.1.2.
If you use Spring Cloud Alibaba 2021.x, upgrade the version to 2021.0.6.1.
If you use Spring Cloud Alibaba 2.x, upgrade the version to 2.2.10.
Make sure that the version mappings among Spring Cloud Alibaba, Spring Cloud, and Spring Boot are correct. For more information about the version mappings, see the release notes for the related branch on the Spring Cloud Alibaba official website.
If you use the Spring Cloud Nacos Config framework to retrieve configurations, add the following configurations.
spring.cloud.nacos.config.server-addr={serverAddr} spring.config.import=nacos:{dataId}?group={group}&refreshEnabled=true # Configure the RAM role of the ECS instance as the access credential. spring.cloud.nacos.config.ramRoleName={ramRoleName} spring.cloud.nacos.config.kmsEndpoint={kmsEndpoint}The kmsEndpoint parameter specifies the endpoint of the KMS instance. If the application and the KMS instance are in the same VPC, set this parameter to the VPC endpoint of the instance. If you access the KMS instance over the Internet, set this parameter to the public endpoint or the VPC endpoint of the public gateway. For more information about how to obtain the endpoint, see How do I obtain the endpoint of a KMS instance?
If you use an AccessKey pair for authentication, replace the following configuration:
spring.cloud.nacos.config.ramRoleName={ramRoleName}with the following configurations:
spring.cloud.nacos.config.accesskey={accessKey} spring.cloud.nacos.config.secretkey={secretKey} # If an AccessKey pair is used to access your Nacos instance, we recommend that you specify the AccessKey pair using JVM parameters or environment variables due to the particularity of the parameters. # JVM parameters -Dspring.cloud.nacos.config.accessKey={accessKey} -Dspring.cloud.nacos.config.secretKey={secretKey} # Environment variables spring_cloud_nacos_config_accessKey={accessKey} spring_cloud_nacos_config_secretKey={secretKey}The Nacos SDK for Java supports multiple access credentials for encrypted configurations, such as Security Token Service (STS) tokens and the Alibaba Cloud Resource Name (ARN) of a RAM role. For more information about supported access credentials and client configuration methods, see Supported access credentials for configuration encryption.
If you activated KMS after March 31, 2022, and want to publish encrypted configurations from the SDK, add the following configuration:
spring.cloud.nacos.config.keyId={keyId}Replace the serverAddr, ramRoleName, accessKey, secretKey, kmsEndpoint, dataId, group, and keyId parameters in the code with your actual service parameters.
Parameter description
Make sure that the following parameters are correctly set.
Parameter
Description
serverAddr
The endpoint of the MSE cluster. Example:
mse-*****.nacos-ans.mse.aliyuncs.com.ramRoleName
The RAM role that is attached to the ECS instance or ACK cluster.
accessKey, secretKey
The AccessKey ID and AccessKey secret of your Alibaba Cloud account.
You can specify either the ramRoleName parameter or the accessKey and secretKey parameters.
kmsEndpoint
The endpoint of the KMS instance. If the access environment and the KMS instance are in the same VPC, the value of kmsEndpoint is the VPC endpoint of the instance. If you access the KMS instance over the Internet, the value of kmsEndpoint is the public endpoint or VPC endpoint of the public gateway. For more information about how to obtain the endpoint, see How do I obtain the endpoint of a KMS instance?
dataId
The data ID of the encrypted configuration. Example:
cipher-kms-aes-256-****.properties.group
The group name of the encrypted configuration.
keyId
The ID of the KMS key that is used to encrypt configurations. You can create and use a KMS key in the KMS console.
Example:
alia/***orkey-***.
Use an encrypted configuration in Nacos SDK for Go
Run the
go getcommand to download theNacos Client Go SDKdependencies.go get -u github.com/nacos-group/nacos-sdk-go/v2@v2.2.8Modify the Nacos client initialization configuration.
The Nacos SDK for Go only supports using an AccessKey pair as the credential to access the KMS instance. In the code, replace the serverAddr, accessKey, secretKey, and kmsEndpoint parameters with your business parameters and ensure that the
OpenKMS: trueparameter is set to enable configuration encryption.sc := []constant.ServerConfig{ { IpAddr: "{serverAddr}", // Replace the value with the endpoint of your MSE instance. Port: 8848, }, } var accessKey = "{accessKey}" var secretKey = "{secretKey}" cc := constant.ClientConfig{ NamespaceId: "public", // The ID of the namespace. OpenKMS: true, // Enable KMS-based encryption for configurations. AccessKey: accessKey, SecretKey: secretKey, KMSConfig: &constant.KMSConfig{Endpoint: "{kmsEndpoint}",}, TimeoutMs: 5000, NotLoadCacheAtStart: true, LogDir: "/tmp/nacos/log", CacheDir: "/tmp/nacos/cache", RotateTime: "1h", MaxAge: 3, }The kmsEndpoint parameter specifies the endpoint of the KMS instance. If the application and the KMS instance are in the same VPC, set this parameter to the VPC endpoint of the instance. If you access the KMS instance over the Internet, set this parameter to the public endpoint or the VPC endpoint of the public gateway. For more information about how to obtain the endpoint, see How do I obtain the endpoint of a KMS instance?
Publish the encrypted configuration.
keyId: The ID of the KMS key used for configuration encryption.configParam := vo.ConfigParam{ DataId: "{dataId}", Group: "{group}", Content: "content", KmsKeyId: "{keyId}", // The ID of the KMS key that is used to encrypt configurations. You can create and use a KMS key in the KMS console. } published, err := client.PublishConfig(configParam) if published && err == nil { fmt.Printf("successfully publish: group[%s], dataId[%s], data[%s]\n", configParam.Group, configParam.DataId, configParam.Content) } else { fmt.Printf("failed to publish: group[%s], dataId[%s], data[%s]\n with error: %s\n", configParam.Group, configParam.DataId, configParam.Content, err) }
Parameter description
Make sure that the following parameters are correctly set.
Parameter | Description |
serverAddr | The endpoint of the MSE cluster. Example: |
accessKey, secretKey | The AccessKey ID and AccessKey secret of the RAM user. |
kmsEndpoint | The endpoint of the KMS instance. If the access environment and the KMS instance are in the same VPC, the value of kmsEndpoint is the VPC endpoint of the instance. If you access the KMS instance over the Internet, the value of kmsEndpoint is the public endpoint or VPC endpoint of the public gateway. For more information about how to obtain the endpoint, see How do I obtain the endpoint of a KMS instance? |
dataId | The data ID of the encrypted configuration. Example: |
group | The group name of the encrypted configuration. |
keyId | The ID of the KMS key that is used to encrypt configurations. You can create and use a KMS key in the KMS console. Example: |
Supported access credentials for configuration encryption
The Nacos SDK for Java supports multiple types of access credentials for configuration encryption. You can select an initialization method for the credential provider based on the authentication and authorization requirements of your scenario.
The Nacos SDK for Java supports the following types of access credentials:
For more information about how to configure access credentials on the client, see the configuration center section in Access authentication by the Nacos client. Grant the required permissions to the access credential by selecting the following system policy. This operation is a coarse-grained authorization that grants read and write permissions on all KMS instances.
Access policy name | Description |
AliyunKMSFullAccess | The permission to manage KMS. A RAM user to which this policy is attached has the permissions to perform all operations on all features, which is equivalent to the permissions of an Alibaba Cloud account. |
FAQ
How do I configure parameters if the Shared KMS that was activated before March 31, 2022, is used?
If you activated Shared KMS before March 31, 2022, you only need to replace the kmsEndpoint parameter with kmsRegionId in the preceding configurations. The kmsRegionId parameter specifies the region where the KMS instance resides, such as cn-hangzhou. Modify the client configuration based on the framework you use.
Use an encrypted configuration in the Nacos client for the Java SDK
Replace the following configuration in the code:
properties.put("kmsEndpoint", "{kmsEndpoint}");Replace with
properties.put("kms_region_id", "{kmsRegionId}");Use an encrypted configuration using the Spring Cloud Nacos Config framework for the Java SDK
Replace the following configuration in the configuration file:
spring.cloud.nacos.config.kmsEndpoint={kmsEndpoint}with the following configuration:
spring.cloud.nacos.config.kms_region_id={kmsRegionId}Use an encrypted configuration in the Go SDK
In ClientConfig, configure the RegionId parameter. Replace the following configurations:
cc := constant.ClientConfig{
NamespaceId: "public",
OpenKMS: true,
AccessKey: accessKey,
SecretKey: secretKey,
KMSConfig: &constant.KMSConfig{Endpoint: "{kmsEndpoint}",},
TimeoutMs: 5000,
NotLoadCacheAtStart: true,
LogDir: "/tmp/nacos/log",
CacheDir: "/tmp/nacos/cache",
RotateTime: "1h",
MaxAge: 3,
}Replace with
cc := constant.ClientConfig{
NamespaceId: "public",
OpenKMS: true,
AccessKey: accessKey,
SecretKey: secretKey,
TimeoutMs: 5000,
NotLoadCacheAtStart: true,
LogDir: "/tmp/nacos/log",
CacheDir: "/tmp/nacos/cache",
RotateTime: "1h",
MaxAge: 3,
RegionId: "{kmsRegionId}",
}How do I obtain the endpoint of a KMS instance?
If your application and the KMS instance are in the same VPC, use the VPC endpoint shown on the KMS instance management page as the value for kmsEndpoint.
If you access the KMS instance over the Internet, you must enable public access for the corresponding UID on the KMS instance management page.
If your application is in an Alibaba Cloud VPC, use the VPC endpoint of the public gateway as the value for kmsEndpoint.
Troubleshooting
Troubleshoot common errors
Perform the following checks to troubleshoot errors:
Ensure that the application runtime environment can access the VPC endpoints of the MSE and KMS instances.
NoteThe MSE instance and the KMS instance do not need to access each other over the network.
Check whether you are using KMS
v1.0orv3.0. If you are using KMS v1.0, you must have activated KMS before March 31, 2022.NoteIf you activated KMS after March 31, 2022, you must purchase Dedicated KMS. The encryption feature of KMS 1.0 is no longer available to new users.
Ensure that the Nacos client version matches the encryption and decryption plugin version. For more information, see the version guide in this topic.
Troubleshoot Nacos Java SDK issues
Exception keyword in Nacos logs | Cause |
| The |
| The key ID specified by the |
| The |
| The network specified by the |
| The |
| The |
| The |
|
|
| The |
| The file specified by the |